packages/kubernetes
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

update to 1.24.0

Browse Source 
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
This commit is contained in:
zhangxiaoyu 2023-01-03 15:05:23 +08:00
parent cc5ccebb1d
commit 742f1b97fe
14 changed files with 216 additions and 1072 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
0001-fix-compile-options.patch Normal file
View File

@ -0,0 +1,42 @@
From 6f69a95a25dc6fb1b3d0e024cb28f5c83022dc58 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 3 Jan 2023 14:19:44 +0800
Subject: fix compile options
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
hack/lib/golang.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
index 2865da28..ed64483e 100755
--- a/hack/lib/golang.sh
+++ b/hack/lib/golang.sh
@@ -709,6 +709,7 @@ kube::golang::build_binaries_for_platform() {
-installsuffix=static
${goflags:+"${goflags[@]}"}
-gcflags="${gogcflags}"
+ -buildmode=pie
-asmflags="${goasmflags}"
-ldflags="${goldflags}"
-tags="${gotags:-}"
@@ -720,6 +721,7 @@ kube::golang::build_binaries_for_platform() {
build_args=(
${goflags:+"${goflags[@]}"}
-gcflags="${gogcflags}"
+ -buildmode=pie
-asmflags="${goasmflags}"
-ldflags="${goldflags}"
-tags="${gotags:-}"
@@ -808,7 +810,7 @@ kube::golang::build_binaries() {
gogcflags="${gogcflags} -N -l"
fi
- goldflags="all=$(kube::version::ldflags) ${GOLDFLAGS:-}"
+ goldflags="all=$(kube::version::ldflags) ${GOLDFLAGS:-} -linkmode=external"
if [[ "${DBG:-}" != 1 ]]; then
# Not debugging - disable symbols and DWARF.
goldflags="${goldflags} -s -w"
--
2.25.1

42
0002-fix-compile-options.patch
View File

@ -1,42 +0,0 @@
From 64a21ff088bc4271f596cd1e622d50293eb9566a Mon Sep 17 00:00:00 2001
From: WangFengTu <wangfengtu@huawei.com>
Date: Mon, 22 Mar 2021 14:31:00 +0800
Subject: [PATCH] fix compile options
Signed-off-by: WangFengTu <wangfengtu@huawei.com>
---
hack/lib/golang.sh | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
index bef1d837..6d467a8e 100755
--- a/hack/lib/golang.sh
+++ b/hack/lib/golang.sh
@@ -701,6 +701,7 @@ kube::golang::build_binaries_for_platform() {
-installsuffix static
${goflags:+"${goflags[@]}"}
-gcflags "${gogcflags:-}"
+ -buildmode=pie
-asmflags "${goasmflags:-}"
-ldflags "${goldflags:-}"
-tags "${gotags:-}"
@@ -712,6 +713,7 @@ kube::golang::build_binaries_for_platform() {
build_args=(
${goflags:+"${goflags[@]}"}
-gcflags "${gogcflags:-}"
+ -buildmode=pie
-asmflags "${goasmflags:-}"
-ldflags "${goldflags:-}"
-tags "${gotags:-}"
@@ -787,7 +789,7 @@ kube::golang::build_binaries() {
# Disable SC2153 for this, as it will throw a warning that the local
# variable goldflags will exist, and it suggest changing it to this.
# shellcheck disable=SC2153
- goldflags="${GOLDFLAGS=-s -w -buildid=} $(kube::version::ldflags)"
+ goldflags="${GOLDFLAGS=-s -w -buildid=} $(kube::version::ldflags) -linkmode=external"
goasmflags="-trimpath=${KUBE_ROOT}"
gogcflags="${GOGCFLAGS:-} -trimpath=${KUBE_ROOT}"
--
2.25.1

88
0001-kubelet-support-exec-websocket-protocol.patch → 0002-kubelet-support-exec-and-attach-websocket-protocol.patch
View File

@ -1,21 +1,21 @@
From ac8fda0c77cb588f59aff7c86c05933a7a2d77c4 Mon Sep 17 00:00:00 2001
From: gaohuatao <gaohuatao@huawei.com>
Date: Wed, 3 Feb 2021 14:59:37 +0800
Subject: [PATCH] kubelet support exec websocket protocol
From 2bdde6764d529d9f0633178b171aa193280d6ecb Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 3 Jan 2023 14:20:10 +0800
Subject: kubelet support exec and attach websocket protocol
Signed-off-by: gaohuatao <gaohuatao@huawei.com>
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
.../cri/streaming/remotecommand/proxy.go | 197 ++++++++++++++++++
pkg/kubelet/server/server.go | 21 +-
2 files changed, 214 insertions(+), 4 deletions(-)
.../cri/streaming/remotecommand/proxy.go | 206 ++++++++++++++++++
pkg/kubelet/server/server.go | 43 +++-
2 files changed, 241 insertions(+), 8 deletions(-)
create mode 100644 pkg/kubelet/cri/streaming/remotecommand/proxy.go
diff --git a/pkg/kubelet/cri/streaming/remotecommand/proxy.go b/pkg/kubelet/cri/streaming/remotecommand/proxy.go
new file mode 100644
index 00000000..5b99747c
index 00000000..f21629af
--- /dev/null
+++ b/pkg/kubelet/cri/streaming/remotecommand/proxy.go
@@ -0,0 +1,197 @@
@@ -0,0 +1,206 @@
+package remotecommand
+
+import (
@ -187,14 +187,23 @@ index 00000000..5b99747c
+ websocket.DefaultDialer.ReadBufferSize = 128 * 1024
+ websocket.DefaultDialer.WriteBufferSize = 128 * 1024
+ ws, resp, err := websocket.DefaultDialer.Dial(addr, h)
+ if err != nil {
+ if err == nil {
+ return ws, nil
+ }
+ msg := fmt.Errorf("dial failed: %v, response Body is nil", err)
+ if resp != nil && resp.Body != nil {
+ defer func() {
+ //websocket buffer size maybe not enough and cause panic
+ if e := recover(); e != nil {
+ msg = fmt.Errorf("dial failed: %v, response panic %v", err, e)
+ }
+ resp.Body.Close()
+ }()
+ var body bytes.Buffer
+ body.ReadFrom(resp.Body)
+ defer resp.Body.Close()
+ msg := fmt.Errorf("dial failed: %v, response is: %v", err, body.String())
+ return nil, msg
+ msg = fmt.Errorf("dial failed: %v, response is: %v", err, body.String())
+ }
+ return ws, nil
+ return nil, msg
+}
+
+type rwc struct {
@ -214,10 +223,53 @@ index 00000000..5b99747c
+ return len(p), nil
+}
diff --git a/pkg/kubelet/server/server.go b/pkg/kubelet/server/server.go
index 2b033e2c..1d19fed6 100644
index 127192e0..cd11f807 100644
--- a/pkg/kubelet/server/server.go
+++ b/pkg/kubelet/server/server.go
@@ -782,26 +782,39 @@ func (s *Server) getAttach(request *restful.Request, response *restful.Response)
@@ -769,51 +769,78 @@ func proxyStream(w http.ResponseWriter, r *http.Request, url *url.URL) {
// getAttach handles requests to attach to a container.
func (s *Server) getAttach(request *restful.Request, response *restful.Response) {
- params := getExecRequestParams(request)
streamOpts, err := remotecommandserver.NewOptions(request.Request)
if err != nil {
utilruntime.HandleError(err)
response.WriteError(http.StatusBadRequest, err)
return
}
+
+ url, err := s.getAttachUrl(request, response, streamOpts)
+ if err != nil {
+ klog.Errorf("failed to get backend url %v", err)
+ return
+ }
+ if url.Scheme == "ws" || url.Scheme == "wss" {
+ remotecommandserver.ProxyToWebSocket(response.ResponseWriter, request.Request, url, streamOpts)
+ } else {
+ proxyStream(response.ResponseWriter, request.Request, url)
+ }
+}
+
+func (s *Server) getAttachUrl(request *restful.Request, response *restful.Response, streamOpts *remotecommandserver.Options) (*url.URL, error) {
+ params := getExecRequestParams(request)
pod, ok := s.host.GetPodByName(params.podNamespace, params.podName)
if !ok {
response.WriteError(http.StatusNotFound, fmt.Errorf("pod does not exist"))
- return
+ return nil, fmt.Errorf("pod not found")
}
podFullName := kubecontainer.GetPodFullName(pod)
url, err := s.host.GetAttach(podFullName, params.podUID, params.containerName, *streamOpts)
if err != nil {
streaming.WriteError(err, response.ResponseWriter)
- return
+ return nil, err
}
- proxyStream(response.ResponseWriter, request.Request, url)
+ return url, nil
}
// getExec handles requests to run a command inside a container.
func (s *Server) getExec(request *restful.Request, response *restful.Response) {
@ -262,5 +314,5 @@ index 2b033e2c..1d19fed6 100644
// getRun handles requests to run a command inside a container.
--
2.20.1
2.25.1

394
0003-fix-CVE-2021-25735.patch
View File

@ -1,394 +0,0 @@
Reference: https://github.com/kubernetes/kubernetes/pull/100315/files
diff --git a/pkg/apis/apps/validation/validation.go b/pkg/apis/apps/validation/validation.go
index e297c8a..ef784d6 100644
--- a/pkg/apis/apps/validation/validation.go
+++ b/pkg/apis/apps/validation/validation.go
@@ -144,21 +144,15 @@ func ValidateStatefulSet(statefulSet *apps.StatefulSet) field.ErrorList {
func ValidateStatefulSetUpdate(statefulSet, oldStatefulSet *apps.StatefulSet) field.ErrorList {
allErrs := apivalidation.ValidateObjectMetaUpdate(&statefulSet.ObjectMeta, &oldStatefulSet.ObjectMeta, field.NewPath("metadata"))
- restoreReplicas := statefulSet.Spec.Replicas
- statefulSet.Spec.Replicas = oldStatefulSet.Spec.Replicas
-
- restoreTemplate := statefulSet.Spec.Template
- statefulSet.Spec.Template = oldStatefulSet.Spec.Template
-
- restoreStrategy := statefulSet.Spec.UpdateStrategy
- statefulSet.Spec.UpdateStrategy = oldStatefulSet.Spec.UpdateStrategy
-
- if !apiequality.Semantic.DeepEqual(statefulSet.Spec, oldStatefulSet.Spec) {
+ // statefulset updates aren't super common and general updates are likely to be touching spec, so we'll do this
+ // deep copy right away. This avoids mutating our inputs
+ newStatefulSetClone := statefulSet.DeepCopy()
+ newStatefulSetClone.Spec.Replicas = oldStatefulSet.Spec.Replicas // +k8s:verify-mutation:reason=clone
+ newStatefulSetClone.Spec.Template = oldStatefulSet.Spec.Template // +k8s:verify-mutation:reason=clone
+ newStatefulSetClone.Spec.UpdateStrategy = oldStatefulSet.Spec.UpdateStrategy // +k8s:verify-mutation:reason=clone
+ if !apiequality.Semantic.DeepEqual(newStatefulSetClone.Spec, oldStatefulSet.Spec) {
allErrs = append(allErrs, field.Forbidden(field.NewPath("spec"), "updates to statefulset spec for fields other than 'replicas', 'template', and 'updateStrategy' are forbidden"))
}
- statefulSet.Spec.Replicas = restoreReplicas
- statefulSet.Spec.Template = restoreTemplate
- statefulSet.Spec.UpdateStrategy = restoreStrategy
allErrs = append(allErrs, apivalidation.ValidateNonnegativeField(int64(statefulSet.Spec.Replicas), field.NewPath("spec", "replicas"))...)
return allErrs
diff --git a/pkg/apis/core/validation/BUILD b/pkg/apis/core/validation/BUILD
index 70d2bd7..d65041e 100644
--- a/pkg/apis/core/validation/BUILD
+++ b/pkg/apis/core/validation/BUILD
@@ -41,7 +41,6 @@ go_library(
"//staging/src/k8s.io/apimachinery/pkg/util/validation:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
- "//vendor/k8s.io/klog/v2:go_default_library",
"//vendor/k8s.io/utils/net:go_default_library",
],
)
diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
index fd34771..af58e0e 100644
--- a/pkg/apis/core/validation/validation.go
+++ b/pkg/apis/core/validation/validation.go
@@ -29,8 +29,6 @@ import (
"unicode"
"unicode/utf8"
- "k8s.io/klog/v2"
-
v1 "k8s.io/api/core/v1"
apiequality "k8s.io/apimachinery/pkg/api/equality"
"k8s.io/apimachinery/pkg/api/resource"
@@ -1944,13 +1942,11 @@ func ValidatePersistentVolumeUpdate(newPv, oldPv *core.PersistentVolume) field.E
}
// ValidatePersistentVolumeStatusUpdate tests to see if the status update is legal for an end user to make.
-// newPv is updated with fields that cannot be changed.
func ValidatePersistentVolumeStatusUpdate(newPv, oldPv *core.PersistentVolume) field.ErrorList {
allErrs := ValidateObjectMetaUpdate(&newPv.ObjectMeta, &oldPv.ObjectMeta, field.NewPath("metadata"))
if len(newPv.ResourceVersion) == 0 {
allErrs = append(allErrs, field.Required(field.NewPath("resourceVersion"), ""))
}
- newPv.Spec = oldPv.Spec
return allErrs
}
@@ -2023,7 +2019,7 @@ func ValidatePersistentVolumeClaimUpdate(newPvc, oldPvc *core.PersistentVolumeCl
// Claims are immutable in order to enforce quota, range limits, etc. without gaming the system.
if len(oldPvc.Spec.VolumeName) == 0 {
// volumeName changes are allowed once.
- oldPvcClone.Spec.VolumeName = newPvcClone.Spec.VolumeName
+ oldPvcClone.Spec.VolumeName = newPvcClone.Spec.VolumeName // +k8s:verify-mutation:reason=clone
}
if validateStorageClassUpgrade(oldPvcClone.Annotations, newPvcClone.Annotations,
@@ -2039,7 +2035,7 @@ func ValidatePersistentVolumeClaimUpdate(newPvc, oldPvc *core.PersistentVolumeCl
if utilfeature.DefaultFeatureGate.Enabled(features.ExpandPersistentVolumes) {
// lets make sure storage values are same.
if newPvc.Status.Phase == core.ClaimBound && newPvcClone.Spec.Resources.Requests != nil {
- newPvcClone.Spec.Resources.Requests["storage"] = oldPvc.Spec.Resources.Requests["storage"]
+ newPvcClone.Spec.Resources.Requests["storage"] = oldPvc.Spec.Resources.Requests["storage"] // +k8s:verify-mutation:reason=clone
}
oldSize := oldPvc.Spec.Resources.Requests["storage"]
@@ -2096,7 +2092,6 @@ func ValidatePersistentVolumeClaimStatusUpdate(newPvc, oldPvc *core.PersistentVo
for r, qty := range newPvc.Status.Capacity {
allErrs = append(allErrs, validateBasicResource(qty, capPath.Key(string(r)))...)
}
- newPvc.Spec = oldPvc.Spec
return allErrs
}
@@ -2419,13 +2414,13 @@ func GetVolumeMountMap(mounts []core.VolumeMount) map[string]string {
}
func GetVolumeDeviceMap(devices []core.VolumeDevice) map[string]string {
- voldevices := make(map[string]string)
+ volDevices := make(map[string]string)
for _, dev := range devices {
- voldevices[dev.Name] = dev.DevicePath
+ volDevices[dev.Name] = dev.DevicePath
}
- return voldevices
+ return volDevices
}
func ValidateVolumeMounts(mounts []core.VolumeMount, voldevices map[string]string, volumes map[string]core.VolumeSource, container *core.Container, fldPath *field.Path) field.ErrorList {
@@ -3089,10 +3084,11 @@ func validateOnlyAddedTolerations(newTolerations []core.Toleration, oldToleratio
allErrs := field.ErrorList{}
for _, old := range oldTolerations {
found := false
- old.TolerationSeconds = nil
- for _, new := range newTolerations {
- new.TolerationSeconds = nil
- if reflect.DeepEqual(old, new) {
+ oldTolerationClone := old.DeepCopy()
+ for _, newToleration := range newTolerations {
+ // assign to our clone before doing a deep equal so we can allow tolerationseconds to change.
+ oldTolerationClone.TolerationSeconds = newToleration.TolerationSeconds // +k8s:verify-mutation:reason=clone
+ if reflect.DeepEqual(*oldTolerationClone, newToleration) {
found = true
break
}
@@ -3970,37 +3966,44 @@ func ValidatePodUpdate(newPod, oldPod *core.Pod, opts PodValidationOptions) fiel
allErrs = append(allErrs, field.Invalid(specPath.Child("activeDeadlineSeconds"), newPod.Spec.ActiveDeadlineSeconds, "must not update from a positive integer to nil value"))
}
+ // Allow only additions to tolerations updates.
+ allErrs = append(allErrs, validateOnlyAddedTolerations(newPod.Spec.Tolerations, oldPod.Spec.Tolerations, specPath.Child("tolerations"))...)
+
+ // the last thing to check is pod spec equality. If the pod specs are equal, then we can simply return the errors we have
+ // so far and save the cost of a deep copy.
+ if apiequality.Semantic.DeepEqual(newPod.Spec, oldPod.Spec) {
+ return allErrs
+ }
+
// handle updateable fields by munging those fields prior to deep equal comparison.
- mungedPod := *newPod
+ mungedPodSpec := *newPod.Spec.DeepCopy()
// munge spec.containers[*].image
var newContainers []core.Container
- for ix, container := range mungedPod.Spec.Containers {
- container.Image = oldPod.Spec.Containers[ix].Image
+ for ix, container := range mungedPodSpec.Containers {
+ container.Image = oldPod.Spec.Containers[ix].Image // +k8s:verify-mutation:reason=clone
newContainers = append(newContainers, container)
}
- mungedPod.Spec.Containers = newContainers
+ mungedPodSpec.Containers = newContainers
// munge spec.initContainers[*].image
var newInitContainers []core.Container
- for ix, container := range mungedPod.Spec.InitContainers {
- container.Image = oldPod.Spec.InitContainers[ix].Image
+ for ix, container := range mungedPodSpec.InitContainers {
+ container.Image = oldPod.Spec.InitContainers[ix].Image // +k8s:verify-mutation:reason=clone
newInitContainers = append(newInitContainers, container)
}
- mungedPod.Spec.InitContainers = newInitContainers
+ mungedPodSpec.InitContainers = newInitContainers
// munge spec.activeDeadlineSeconds
- mungedPod.Spec.ActiveDeadlineSeconds = nil
+ mungedPodSpec.ActiveDeadlineSeconds = nil
if oldPod.Spec.ActiveDeadlineSeconds != nil {
activeDeadlineSeconds := *oldPod.Spec.ActiveDeadlineSeconds
- mungedPod.Spec.ActiveDeadlineSeconds = &activeDeadlineSeconds
+ mungedPodSpec.ActiveDeadlineSeconds = &activeDeadlineSeconds
}
+ // tolerations are checked before the deep copy, so munge those too
+ mungedPodSpec.Tolerations = oldPod.Spec.Tolerations // +k8s:verify-mutation:reason=clone
- // Allow only additions to tolerations updates.
- mungedPod.Spec.Tolerations = oldPod.Spec.Tolerations
- allErrs = append(allErrs, validateOnlyAddedTolerations(newPod.Spec.Tolerations, oldPod.Spec.Tolerations, specPath.Child("tolerations"))...)
-
- if !apiequality.Semantic.DeepEqual(mungedPod.Spec, oldPod.Spec) {
+ if !apiequality.Semantic.DeepEqual(mungedPodSpec, oldPod.Spec) {
// This diff isn't perfect, but it's a helluva lot better an "I'm not going to tell you what the difference is".
//TODO: Pinpoint the specific field that causes the invalid error after we have strategic merge diff
- specDiff := diff.ObjectDiff(mungedPod.Spec, oldPod.Spec)
+ specDiff := diff.ObjectDiff(mungedPodSpec, oldPod.Spec)
allErrs = append(allErrs, field.Forbidden(specPath, fmt.Sprintf("pod updates may not change fields other than `spec.containers[*].image`, `spec.initContainers[*].image`, `spec.activeDeadlineSeconds` or `spec.tolerations` (only additions to existing tolerations)\n%v", specDiff)))
}
@@ -4032,8 +4035,7 @@ func ValidateContainerStateTransition(newStatuses, oldStatuses []core.ContainerS
return allErrs
}
-// ValidatePodStatusUpdate tests to see if the update is legal for an end user to make. newPod is updated with fields
-// that cannot be changed.
+// ValidatePodStatusUpdate tests to see if the update is legal for an end user to make.
func ValidatePodStatusUpdate(newPod, oldPod *core.Pod) field.ErrorList {
fldPath := field.NewPath("metadata")
allErrs := ValidateObjectMetaUpdate(&newPod.ObjectMeta, &oldPod.ObjectMeta, fldPath)
@@ -4064,9 +4066,6 @@ func ValidatePodStatusUpdate(newPod, oldPod *core.Pod) field.ErrorList {
}
}
- // For status update we ignore changes to pod spec.
- newPod.Spec = oldPod.Spec
-
return allErrs
}
@@ -4754,11 +4753,8 @@ func ValidateNodeUpdate(node, oldNode *core.Node) field.ErrorList {
addresses[address] = true
}
- if len(oldNode.Spec.PodCIDRs) == 0 {
- // Allow the controller manager to assign a CIDR to a node if it doesn't have one.
- //this is a no op for a string slice.
- oldNode.Spec.PodCIDRs = node.Spec.PodCIDRs
- } else {
+ // Allow the controller manager to assign a CIDR to a node if it doesn't have one.
+ if len(oldNode.Spec.PodCIDRs) > 0 {
// compare the entire slice
if len(oldNode.Spec.PodCIDRs) != len(node.Spec.PodCIDRs) {
allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "podCIDRs"), "node updates may not change podCIDR except from \"\" to valid"))
@@ -4772,46 +4768,35 @@ func ValidateNodeUpdate(node, oldNode *core.Node) field.ErrorList {
}
// Allow controller manager updating provider ID when not set
- if len(oldNode.Spec.ProviderID) == 0 {
- oldNode.Spec.ProviderID = node.Spec.ProviderID
- } else {
- if oldNode.Spec.ProviderID != node.Spec.ProviderID {
- allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "providerID"), "node updates may not change providerID except from \"\" to valid"))
- }
+ if len(oldNode.Spec.ProviderID) > 0 && oldNode.Spec.ProviderID != node.Spec.ProviderID {
+ allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "providerID"), "node updates may not change providerID except from \"\" to valid"))
}
if node.Spec.ConfigSource != nil {
allErrs = append(allErrs, validateNodeConfigSourceSpec(node.Spec.ConfigSource, field.NewPath("spec", "configSource"))...)
}
- oldNode.Spec.ConfigSource = node.Spec.ConfigSource
if node.Status.Config != nil {
allErrs = append(allErrs, validateNodeConfigStatus(node.Status.Config, field.NewPath("status", "config"))...)
}
- oldNode.Status.Config = node.Status.Config
-
- // TODO: move reset function to its own location
- // Ignore metadata changes now that they have been tested
- oldNode.ObjectMeta = node.ObjectMeta
- // Allow users to update capacity
- oldNode.Status.Capacity = node.Status.Capacity
- // Allow users to unschedule node
- oldNode.Spec.Unschedulable = node.Spec.Unschedulable
- // Clear status
- oldNode.Status = node.Status
// update taints
if len(node.Spec.Taints) > 0 {
allErrs = append(allErrs, validateNodeTaints(node.Spec.Taints, fldPath.Child("taints"))...)
}
- oldNode.Spec.Taints = node.Spec.Taints
- // We made allowed changes to oldNode, and now we compare oldNode to node. Any remaining differences indicate changes to protected fields.
- // TODO: Add a 'real' error type for this error and provide print actual diffs.
- if !apiequality.Semantic.DeepEqual(oldNode, node) {
- klog.V(4).Infof("Update failed validation %#v vs %#v", oldNode, node)
- allErrs = append(allErrs, field.Forbidden(field.NewPath(""), "node updates may only change labels, taints, or capacity (or configSource, if the DynamicKubeletConfig feature gate is enabled)"))
+ if node.Spec.DoNotUseExternalID != oldNode.Spec.DoNotUseExternalID {
+ allErrs = append(allErrs, field.Forbidden(field.NewPath("spec", "externalID"), "may not be updated"))
}
+ // status and metadata are allowed change (barring restrictions above), so separately test spec field.
+ // spec only has a few fields, so check the ones we don't allow changing
+ // 1. PodCIDRs - immutable after first set - checked above
+ // 2. ProviderID - immutable after first set - checked above
+ // 3. Unschedulable - allowed to change
+ // 4. Taints - allowed to change
+ // 5. ConfigSource - allowed to change (and checked above)
+ // 6. DoNotUseExternalID - immutable - checked above
+
return allErrs
}
@@ -5224,10 +5209,6 @@ func ValidateSecret(secret *core.Secret) field.ErrorList {
func ValidateSecretUpdate(newSecret, oldSecret *core.Secret) field.ErrorList {
allErrs := ValidateObjectMetaUpdate(&newSecret.ObjectMeta, &oldSecret.ObjectMeta, field.NewPath("metadata"))
- if len(newSecret.Type) == 0 {
- newSecret.Type = oldSecret.Type
- }
-
allErrs = append(allErrs, ValidateImmutableField(newSecret.Type, oldSecret.Type, field.NewPath("type"))...)
if oldSecret.Immutable != nil && *oldSecret.Immutable {
if newSecret.Immutable == nil || !*newSecret.Immutable {
@@ -5527,7 +5508,6 @@ func ValidateResourceQuantityValue(resource string, value resource.Quantity, fld
}
// ValidateResourceQuotaUpdate tests to see if the update is legal for an end user to make.
-// newResourceQuota is updated with fields that cannot be changed.
func ValidateResourceQuotaUpdate(newResourceQuota, oldResourceQuota *core.ResourceQuota) field.ErrorList {
allErrs := ValidateObjectMetaUpdate(&newResourceQuota.ObjectMeta, &oldResourceQuota.ObjectMeta, field.NewPath("metadata"))
allErrs = append(allErrs, ValidateResourceQuotaSpec(&newResourceQuota.Spec, field.NewPath("spec"))...)
@@ -5546,12 +5526,10 @@ func ValidateResourceQuotaUpdate(newResourceQuota, oldResourceQuota *core.Resour
allErrs = append(allErrs, field.Invalid(fldPath, newResourceQuota.Spec.Scopes, fieldImmutableErrorMsg))
}
- newResourceQuota.Status = oldResourceQuota.Status
return allErrs
}
// ValidateResourceQuotaStatusUpdate tests to see if the status update is legal for an end user to make.
-// newResourceQuota is updated with fields that cannot be changed.
func ValidateResourceQuotaStatusUpdate(newResourceQuota, oldResourceQuota *core.ResourceQuota) field.ErrorList {
allErrs := ValidateObjectMetaUpdate(&newResourceQuota.ObjectMeta, &oldResourceQuota.ObjectMeta, field.NewPath("metadata"))
if len(newResourceQuota.ResourceVersion) == 0 {
@@ -5569,7 +5547,6 @@ func ValidateResourceQuotaStatusUpdate(newResourceQuota, oldResourceQuota *core.
allErrs = append(allErrs, ValidateResourceQuotaResourceName(string(k), resPath)...)
allErrs = append(allErrs, ValidateResourceQuantityValue(string(k), v, resPath)...)
}
- newResourceQuota.Spec = oldResourceQuota.Spec
return allErrs
}
@@ -5602,19 +5579,14 @@ func validateKubeFinalizerName(stringValue string, fldPath *field.Path) field.Er
}
// ValidateNamespaceUpdate tests to make sure a namespace update can be applied.
-// newNamespace is updated with fields that cannot be changed
func ValidateNamespaceUpdate(newNamespace *core.Namespace, oldNamespace *core.Namespace) field.ErrorList {
allErrs := ValidateObjectMetaUpdate(&newNamespace.ObjectMeta, &oldNamespace.ObjectMeta, field.NewPath("metadata"))
- newNamespace.Spec.Finalizers = oldNamespace.Spec.Finalizers
- newNamespace.Status = oldNamespace.Status
return allErrs
}
-// ValidateNamespaceStatusUpdate tests to see if the update is legal for an end user to make. newNamespace is updated with fields
-// that cannot be changed.
+// ValidateNamespaceStatusUpdate tests to see if the update is legal for an end user to make.
func ValidateNamespaceStatusUpdate(newNamespace, oldNamespace *core.Namespace) field.ErrorList {
allErrs := ValidateObjectMetaUpdate(&newNamespace.ObjectMeta, &oldNamespace.ObjectMeta, field.NewPath("metadata"))
- newNamespace.Spec = oldNamespace.Spec
if newNamespace.DeletionTimestamp.IsZero() {
if newNamespace.Status.Phase != core.NamespaceActive {
allErrs = append(allErrs, field.Invalid(field.NewPath("status", "Phase"), newNamespace.Status.Phase, "may only be 'Active' if `deletionTimestamp` is empty"))
@@ -5628,7 +5600,6 @@ func ValidateNamespaceStatusUpdate(newNamespace, oldNamespace *core.Namespace) f
}
// ValidateNamespaceFinalizeUpdate tests to see if the update is legal for an end user to make.
-// newNamespace is updated with fields that cannot be changed.
func ValidateNamespaceFinalizeUpdate(newNamespace, oldNamespace *core.Namespace) field.ErrorList {
allErrs := ValidateObjectMetaUpdate(&newNamespace.ObjectMeta, &oldNamespace.ObjectMeta, field.NewPath("metadata"))
@@ -5637,7 +5608,6 @@ func ValidateNamespaceFinalizeUpdate(newNamespace, oldNamespace *core.Namespace)
idxPath := fldPath.Index(i)
allErrs = append(allErrs, validateFinalizerName(string(newNamespace.Spec.Finalizers[i]), idxPath)...)
}
- newNamespace.Status = oldNamespace.Status
return allErrs
}
diff --git a/pkg/registry/core/secret/strategy.go b/pkg/registry/core/secret/strategy.go
index 0d5908d..aad0038 100644
--- a/pkg/registry/core/secret/strategy.go
+++ b/pkg/registry/core/secret/strategy.go
@@ -73,6 +73,12 @@ func (strategy) AllowCreateOnUpdate() bool {
func (strategy) PrepareForUpdate(ctx context.Context, obj, old runtime.Object) {
newSecret := obj.(*api.Secret)
oldSecret := old.(*api.Secret)
+
+ // this is weird, but consistent with what the validatedUpdate function used to do.
+ if len(newSecret.Type) == 0 {
+ newSecret.Type = oldSecret.Type
+ }
+
dropDisabledFields(newSecret, oldSecret)
}
diff --git a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go
index e25dd1e..32ae5e9 100644
--- a/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go
+++ b/staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/validation/validation.go
@@ -1409,7 +1409,7 @@ func validateAPIApproval(newCRD, oldCRD *apiextensions.CustomResourceDefinition,
var oldApprovalState *apihelpers.APIApprovalState
if oldCRD != nil {
t, _ := apihelpers.GetAPIApprovalState(oldCRD.Annotations)
- oldApprovalState = &t
+ oldApprovalState = &t // +k8s:verify-mutation:reason=clone
}
newApprovalState, reason := apihelpers.GetAPIApprovalState(newCRD.Annotations)

6
0009-timeout-wait-backend-to-frontend-complete.patch → 0003-timeout-wait-backend-to-frontend-complete.patch
View File

@ -1,7 +1,7 @@
From dda1aed8f9655c9cac813a3633b27bacdce9af88 Mon Sep 17 00:00:00 2001
From 61834dbb52cc71a7e511f5b9af11b9799391ef1a Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Tue, 1 Nov 2022 15:34:16 +0800
Subject: [PATCH] timeout wait backend to frontend complete
Subject: timeout wait backend to frontend complete
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
@ -9,7 +9,7 @@ Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
1 file changed, 6 insertions(+)
diff --git a/pkg/kubelet/cri/streaming/remotecommand/proxy.go b/pkg/kubelet/cri/streaming/remotecommand/proxy.go
index f21629af..c14ea8dd 100644
index f21629af..296c6122 100644
--- a/pkg/kubelet/cri/streaming/remotecommand/proxy.go
+++ b/pkg/kubelet/cri/streaming/remotecommand/proxy.go
@@ -129,6 +129,12 @@ func ProxyToWebSocket(w http.ResponseWriter, r *http.Request, url *url.URL, opts

70
0007-Add-an-option-for-aggregator.patch → 0004-Add-an-option-for-aggregator.patch
View File

@ -1,23 +1,23 @@
From 1f72d5d61330dd6b4f1241b96ad44aab5131f7fe Mon Sep 17 00:00:00 2001
From 978dcb825f2808bd298bfbc6e9c91b1fd7859ba3 Mon Sep 17 00:00:00 2001
From: Di Jin <dxmhu@google.com>
Date: Thu, 1 Sep 2022 15:25:26 -0700
Subject: [PATCH] Add an option for aggregator
Subject: Add an option for aggregator
---
cmd/kube-apiserver/app/aggregator.go | 9 ++-
cmd/kube-apiserver/app/options/options.go | 9 ++-
.../app/options/options_test.go | 17 ++--
.../app/options/options_test.go | 5 +-
.../pkg/util/proxy/upgradeaware.go | 27 +++++++
.../pkg/util/proxy/upgradeaware_test.go | 77 +++++++++++++++++++
.../pkg/apiserver/apiserver.go | 7 ++
.../pkg/apiserver/handler_proxy.go | 6 ++
7 files changed, 138 insertions(+), 14 deletions(-)
7 files changed, 132 insertions(+), 8 deletions(-)
diff --git a/cmd/kube-apiserver/app/aggregator.go b/cmd/kube-apiserver/app/aggregator.go
index 4289ce48..1ac17065 100644
index 2466dcc2..9cf23362 100644
--- a/cmd/kube-apiserver/app/aggregator.go
+++ b/cmd/kube-apiserver/app/aggregator.go
@@ -109,10 +109,11 @@ func createAggregatorConfig(
@@ -111,10 +111,11 @@ func createAggregatorConfig(
SharedInformerFactory: externalInformers,
},
ExtraConfig: aggregatorapiserver.ExtraConfig{
@ -34,10 +34,10 @@ index 4289ce48..1ac17065 100644
}
diff --git a/cmd/kube-apiserver/app/options/options.go b/cmd/kube-apiserver/app/options/options.go
index 68a714bf..653179fd 100644
index 9672b187..794d0d9f 100644
--- a/cmd/kube-apiserver/app/options/options.go
+++ b/cmd/kube-apiserver/app/options/options.go
@@ -79,7 +79,8 @@ type ServerRunOptions struct {
@@ -75,7 +75,8 @@ type ServerRunOptions struct {
ProxyClientCertFile string
ProxyClientKeyFile string
@ -47,7 +47,7 @@ index 68a714bf..653179fd 100644
MasterCount int
EndpointReconcilerType string
@@ -134,7 +135,8 @@ func NewServerRunOptions() *ServerRunOptions {
@@ -131,7 +132,8 @@ func NewServerRunOptions() *ServerRunOptions {
},
HTTPTimeout: time.Duration(5) * time.Second,
},
@ -57,7 +57,7 @@ index 68a714bf..653179fd 100644
}
// Overwrite the default for storage data format.
@@ -280,6 +282,9 @@ func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
@@ -243,6 +245,9 @@ func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
fs.BoolVar(&s.EnableAggregatorRouting, "enable-aggregator-routing", s.EnableAggregatorRouting,
"Turns on aggregator routing requests to endpoints IP rather than cluster IP.")
@ -68,27 +68,15 @@ index 68a714bf..653179fd 100644
"Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key.")
diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go
index 8ad927bb..1f188590 100644
index 26eb6a95..90e1f045 100644
--- a/cmd/kube-apiserver/app/options/options_test.go
+++ b/cmd/kube-apiserver/app/options/options_test.go
@@ -299,14 +299,15 @@ func TestAddFlags(t *testing.T) {
EgressSelector: &apiserveroptions.EgressSelectorOptions{
ConfigFile: "/var/run/kubernetes/egress-selector/connectivity.yaml",
@@ -315,8 +315,9 @@ func TestAddFlags(t *testing.T) {
Traces: &apiserveroptions.TracingOptions{
ConfigFile: "/var/run/kubernetes/tracing_config.yaml",
},
- EnableLogsHandler: false,
- EnableAggregatorRouting: true,
- ProxyClientKeyFile: "/var/run/kubernetes/proxy.key",
- ProxyClientCertFile: "/var/run/kubernetes/proxy.crt",
- Metrics: &metrics.Options{},
- Logs: logs.NewOptions(),
- IdentityLeaseDurationSeconds: 3600,
- IdentityLeaseRenewIntervalSeconds: 10,
+ EnableLogsHandler: false,
+ EnableAggregatorRouting: true,
+ ProxyClientKeyFile: "/var/run/kubernetes/proxy.key",
+ ProxyClientCertFile: "/var/run/kubernetes/proxy.crt",
+ Metrics: &metrics.Options{},
+ Logs: logs.NewOptions(),
+ IdentityLeaseDurationSeconds: 3600,
+ IdentityLeaseRenewIntervalSeconds: 10,
+ AggregatorRejectForwardingRedirects: true,
@ -96,10 +84,10 @@ index 8ad927bb..1f188590 100644
if !reflect.DeepEqual(expected, s) {
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
index 43f528d9..4ed108e9 100644
index f56c17ca..a3a14241 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware.go
@@ -80,6 +80,8 @@ type UpgradeAwareHandler struct {
@@ -83,6 +83,8 @@ type UpgradeAwareHandler struct {
MaxBytesPerSec int64
// Responder is passed errors that occur while setting up proxying.
Responder ErrorResponder
@ -108,7 +96,7 @@ index 43f528d9..4ed108e9 100644
}
const defaultFlushInterval = 200 * time.Millisecond
@@ -232,6 +234,31 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request
@@ -257,6 +259,31 @@ func (h *UpgradeAwareHandler) ServeHTTP(w http.ResponseWriter, req *http.Request
proxy.Transport = h.Transport
proxy.FlushInterval = h.FlushInterval
proxy.ErrorLog = log.New(noSuppressPanicError{}, "", log.LstdFlags)
@ -141,10 +129,10 @@ index 43f528d9..4ed108e9 100644
// if an optional error interceptor/responder was provided wire it
// the custom responder might be used for providing a unified error reporting
diff --git a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go
index 3f2d41f9..33051ffa 100644
index f57b69a0..0d77fb11 100644
--- a/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go
+++ b/staging/src/k8s.io/apimachinery/pkg/util/proxy/upgradeaware_test.go
@@ -663,6 +663,83 @@ func TestProxyUpgradeErrorResponse(t *testing.T) {
@@ -704,6 +704,83 @@ func TestProxyUpgradeErrorResponse(t *testing.T) {
}
}
@ -229,10 +217,10 @@ index 3f2d41f9..33051ffa 100644
tests := []struct {
name,
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go
index d0ab3186..50a85820 100644
index e945fb48..133887e1 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/apiserver.go
@@ -80,6 +80,8 @@ type ExtraConfig struct {
@@ -87,6 +87,8 @@ type ExtraConfig struct {
// Mechanism by which the Aggregator will resolve services. Required.
ServiceResolver ServiceResolver
@ -241,7 +229,7 @@ index d0ab3186..50a85820 100644
}
// Config represents the configuration needed to create an APIAggregator.
@@ -143,6 +145,9 @@ type APIAggregator struct {
@@ -156,6 +158,9 @@ type APIAggregator struct {
// egressSelector selects the proper egress dialer to communicate with the custom apiserver
// overwrites proxyTransport dialer if not nil
egressSelector *egressselector.EgressSelector
@ -251,15 +239,15 @@ index d0ab3186..50a85820 100644
}
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
@@ -194,6 +199,7 @@ func (c completedConfig) NewWithDelegate(delegationTarget genericapiserver.Deleg
openAPIConfig: openAPIConfig,
@@ -213,6 +218,7 @@ func (c completedConfig) NewWithDelegate(delegationTarget genericapiserver.Deleg
openAPIV3Config: c.GenericConfig.OpenAPIV3Config,
egressSelector: c.GenericConfig.EgressSelector,
proxyCurrentCertKeyContent: func() (bytes []byte, bytes2 []byte) { return nil, nil },
+ rejectForwardingRedirects: c.ExtraConfig.RejectForwardingRedirects,
}
apiGroupInfo := apiservicerest.NewRESTStorage(c.GenericConfig.MergedResourceConfig, c.GenericConfig.RESTOptionsGetter)
@@ -384,6 +390,7 @@ func (s *APIAggregator) AddAPIService(apiService *v1.APIService) error {
// used later to filter the served resource by those that have expired.
@@ -443,6 +449,7 @@ func (s *APIAggregator) AddAPIService(apiService *v1.APIService) error {
proxyTransport: s.proxyTransport,
serviceResolver: s.serviceResolver,
egressSelector: s.egressSelector,
@ -268,7 +256,7 @@ index d0ab3186..50a85820 100644
proxyHandler.updateAPIService(apiService)
if s.openAPIAggregationController != nil {
diff --git a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go
index e09f0d1a..a4257420 100644
index 3a880b6b..e1282f2a 100644
--- a/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/apiserver/handler_proxy.go
@@ -68,6 +68,9 @@ type proxyHandler struct {
@ -281,16 +269,16 @@ index e09f0d1a..a4257420 100644
}
type proxyHandlingInfo struct {
@@ -176,6 +179,9 @@ func (r *proxyHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
@@ -172,6 +175,9 @@ func (r *proxyHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
}
handler := proxy.NewUpgradeAwareHandler(location, proxyRoundTripper, true, upgrade, &responder{w: w})
+ if r.rejectForwardingRedirects {
+ handler.RejectForwardingRedirects = true
+ }
utilflowcontrol.RequestDelegated(req.Context())
handler.ServeHTTP(w, newReq)
}
--
2.25.1

209
0004-fix-CVE-2021-25737.patch
View File

@ -1,209 +0,0 @@
From 9d22c94b7171a9a6ce0d167f6cb25abce2079941 Mon Sep 17 00:00:00 2001
From: Rob Scott <robertjscott@google.com>
Date: Fri, 9 Apr 2021 15:24:17 -0700
Subject: [PATCH] Updating EndpointSlice validation to match Endpoints
validation
(cherry picked from commit dd95bba6cd1dfec0985d3e1068c12713597cbe4a)
---
pkg/apis/core/validation/validation.go | 18 +++++----
pkg/apis/core/validation/validation_test.go | 40 +++++++++++++++++++
pkg/apis/discovery/validation/validation.go | 2 +
pkg/apis/discovery/validation/validation_test.go | 51 ++++++++++++++++++++++--
4 files changed, 101 insertions(+), 10 deletions(-)
diff --git a/pkg/apis/core/validation/validation.go b/pkg/apis/core/validation/validation.go
index af58e0e..d5e9037 100644
--- a/pkg/apis/core/validation/validation.go
+++ b/pkg/apis/core/validation/validation.go
@@ -4238,7 +4238,7 @@ func ValidateService(service *core.Service) field.ErrorList {
allErrs = append(allErrs, field.Invalid(idxPath, ip, msgs[i]))
}
} else {
- allErrs = append(allErrs, validateNonSpecialIP(ip, idxPath)...)
+ allErrs = append(allErrs, ValidateNonSpecialIP(ip, idxPath)...)
}
}
@@ -5673,15 +5673,19 @@ func validateEndpointAddress(address *core.EndpointAddress, fldPath *field.Path)
allErrs = append(allErrs, field.Invalid(fldPath.Child("nodeName"), *address.NodeName, msg))
}
}
- allErrs = append(allErrs, validateNonSpecialIP(address.IP, fldPath.Child("ip"))...)
+ allErrs = append(allErrs, ValidateNonSpecialIP(address.IP, fldPath.Child("ip"))...)
return allErrs
}
-func validateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList {
- // We disallow some IPs as endpoints or external-ips. Specifically,
- // unspecified and loopback addresses are nonsensical and link-local
- // addresses tend to be used for node-centric purposes (e.g. metadata
- // service).
+// ValidateNonSpecialIP is used to validate Endpoints, EndpointSlices, and
+// external IPs. Specifically, this disallows unspecified and loopback addresses
+// are nonsensical and link-local addresses tend to be used for node-centric
+// purposes (e.g. metadata service).
+//
+// IPv6 references
+// - https://www.iana.org/assignments/iana-ipv6-special-registry/iana-ipv6-special-registry.xhtml
+// - https://www.iana.org/assignments/ipv6-multicast-addresses/ipv6-multicast-addresses.xhtml
+func ValidateNonSpecialIP(ipAddress string, fldPath *field.Path) field.ErrorList {
allErrs := field.ErrorList{}
ip := net.ParseIP(ipAddress)
if ip == nil {
diff --git a/pkg/apis/core/validation/validation_test.go b/pkg/apis/core/validation/validation_test.go
index bfdb523..f379cd4 100644
--- a/pkg/apis/core/validation/validation_test.go
+++ b/pkg/apis/core/validation/validation_test.go
@@ -16915,3 +16915,43 @@ func TestValidatePodTemplateSpecSeccomp(t *testing.T) {
asserttestify.Equal(t, test.expectedErr, err, "TestCase[%d]: %s", i, test.description)
}
}
+
+func TestValidateNonSpecialIP(t *testing.T) {
+ fp := field.NewPath("ip")
+
+ // Valid values.
+ for _, tc := range []struct {
+ desc string
+ ip string
+ }{
+ {"ipv4", "10.1.2.3"},
+ {"ipv6", "2000::1"},
+ } {
+ t.Run(tc.desc, func(t *testing.T) {
+ errs := ValidateNonSpecialIP(tc.ip, fp)
+ if len(errs) != 0 {
+ t.Errorf("ValidateNonSpecialIP(%q, ...) = %v; want nil", tc.ip, errs)
+ }
+ })
+ }
+ // Invalid cases
+ for _, tc := range []struct {
+ desc string
+ ip string
+ }{
+ {"ipv4 unspecified", "0.0.0.0"},
+ {"ipv6 unspecified", "::0"},
+ {"ipv4 localhost", "127.0.0.0"},
+ {"ipv4 localhost", "127.255.255.255"},
+ {"ipv6 localhost", "::1"},
+ {"ipv6 link local", "fe80::"},
+ {"ipv6 local multicast", "ff02::"},
+ } {
+ t.Run(tc.desc, func(t *testing.T) {
+ errs := ValidateNonSpecialIP(tc.ip, fp)
+ if len(errs) == 0 {
+ t.Errorf("ValidateNonSpecialIP(%q, ...) = nil; want non-nil (errors)", tc.ip)
+ }
+ })
+ }
+}
diff --git a/pkg/apis/discovery/validation/validation.go b/pkg/apis/discovery/validation/validation.go
index 8499e7a..d1fa4c8 100644
--- a/pkg/apis/discovery/validation/validation.go
+++ b/pkg/apis/discovery/validation/validation.go
@@ -96,8 +96,10 @@ func validateEndpoints(endpoints []discovery.Endpoint, addrType discovery.Addres
switch addrType {
case discovery.AddressTypeIPv4:
allErrs = append(allErrs, validation.IsValidIPv4Address(addressPath.Index(i), address)...)
+ allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...)
case discovery.AddressTypeIPv6:
allErrs = append(allErrs, validation.IsValidIPv6Address(addressPath.Index(i), address)...)
+ allErrs = append(allErrs, apivalidation.ValidateNonSpecialIP(address, addressPath.Index(i))...)
case discovery.AddressTypeFQDN:
allErrs = append(allErrs, validation.IsFullyQualifiedDomainName(addressPath.Index(i), address)...)
}
diff --git a/pkg/apis/discovery/validation/validation_test.go b/pkg/apis/discovery/validation/validation_test.go
index 5c7d478..0d944b5 100644
--- a/pkg/apis/discovery/validation/validation_test.go
+++ b/pkg/apis/discovery/validation/validation_test.go
@@ -52,6 +52,21 @@ func TestValidateEndpointSlice(t *testing.T) {
}},
},
},
+ "good-ipv6": {
+ expectedErrors: 0,
+ endpointSlice: &discovery.EndpointSlice{
+ ObjectMeta: standardMeta,
+ AddressType: discovery.AddressTypeIPv6,
+ Ports: []discovery.EndpointPort{{
+ Name: utilpointer.StringPtr("http"),
+ Protocol: protocolPtr(api.ProtocolTCP),
+ }},
+ Endpoints: []discovery.Endpoint{{
+ Addresses: []string{"a00:100::4"},
+ Hostname: utilpointer.StringPtr("valid-123"),
+ }},
+ },
+ },
"good-fqdns": {
expectedErrors: 0,
endpointSlice: &discovery.EndpointSlice{
@@ -375,7 +390,7 @@ func TestValidateEndpointSlice(t *testing.T) {
},
},
"bad-ip": {
- expectedErrors: 1,
+ expectedErrors: 2,
endpointSlice: &discovery.EndpointSlice{
ObjectMeta: standardMeta,
AddressType: discovery.AddressTypeIPv4,
@@ -390,7 +405,7 @@ func TestValidateEndpointSlice(t *testing.T) {
},
},
"bad-ipv4": {
- expectedErrors: 2,
+ expectedErrors: 3,
endpointSlice: &discovery.EndpointSlice{
ObjectMeta: standardMeta,
AddressType: discovery.AddressTypeIPv4,
@@ -405,7 +420,7 @@ func TestValidateEndpointSlice(t *testing.T) {
},
},
"bad-ipv6": {
- expectedErrors: 2,
+ expectedErrors: 4,
endpointSlice: &discovery.EndpointSlice{
ObjectMeta: standardMeta,
AddressType: discovery.AddressTypeIPv6,
@@ -454,6 +469,36 @@ func TestValidateEndpointSlice(t *testing.T) {
expectedErrors: 3,
endpointSlice: &discovery.EndpointSlice{},
},
+ "special-ipv4": {
+ expectedErrors: 1,
+ endpointSlice: &discovery.EndpointSlice{
+ ObjectMeta: standardMeta,
+ AddressType: discovery.AddressTypeIPv4,
+ Ports: []discovery.EndpointPort{{
+ Name: utilpointer.StringPtr("http"),
+ Protocol: protocolPtr(api.ProtocolTCP),
+ }},
+ Endpoints: []discovery.Endpoint{{
+ Addresses: []string{"127.0.0.1"},
+ Hostname: utilpointer.StringPtr("valid-123"),
+ }},
+ },
+ },
+ "special-ipv6": {
+ expectedErrors: 1,
+ endpointSlice: &discovery.EndpointSlice{
+ ObjectMeta: standardMeta,
+ AddressType: discovery.AddressTypeIPv6,
+ Ports: []discovery.EndpointPort{{
+ Name: utilpointer.StringPtr("http"),
+ Protocol: protocolPtr(api.ProtocolTCP),
+ }},
+ Endpoints: []discovery.Endpoint{{
+ Addresses: []string{"fe80::9656:d028:8652:66b6"},
+ Hostname: utilpointer.StringPtr("valid-123"),
+ }},
+ },
+ },
}
for name, testCase := range testCases {
--
1.8.3.1

86
0010-Escape-terminal-special-characters-in-kubectl-112553.patch → 0005-Escape-terminal-special-characters-in-kubectl-112553.patch
View File

@ -1,53 +1,75 @@
From a2f7a90f4a71d3eaef19521baa99f27981d7554e Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Mon, 28 Nov 2022 10:56:01 +0800
Subject: [PATCH] Escape terminal special characters in kubectl (#112553)
From ffa3e2336c5f4078c84f8c719c48673c7e5f7290 Mon Sep 17 00:00:00 2001
From: David Leadbeater <dgl@dgl.cx>
Date: Mon, 31 Oct 2022 01:08:43 +1000
Subject: Escape terminal special characters in kubectl (#112553)
* Escape terminal special characters in kubectl
* Add escaping for kubectl alpha events
Signed-off-by: David Leadbeater <dgl@dgl.cx>
---
.../cli-runtime/pkg/printers/tableprinter.go | 19 ++++++++-
.../cli-runtime/pkg/printers/tableprinter.go | 13 ++++---
.../pkg/printers/tableprinter_test.go | 12 ++++++
.../cli-runtime/pkg/printers/terminal.go | 39 +++++++++++++++++++
.../kubectl/pkg/cmd/get/customcolumn.go | 2 +-
.../kubectl/pkg/cmd/get/customcolumn_test.go | 16 ++++++++
.../k8s.io/kubectl/pkg/describe/describe.go | 7 +++-
.../kubectl/pkg/describe/describe_test.go | 19 +++++++++
6 files changed, 98 insertions(+), 4 deletions(-)
7 files changed, 99 insertions(+), 9 deletions(-)
create mode 100644 staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go
diff --git a/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go b/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go
index 56bd05aa..c6bab0ee 100644
index 87bc3f41..54859665 100644
--- a/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go
+++ b/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter.go
@@ -209,7 +209,24 @@ func printTable(table *metav1.Table, output io.Writer, options PrintOptions) err
fmt.Fprint(output, "\t")
}
if cell != nil {
- fmt.Fprint(output, cell)
+ switch val := cell.(type) {
+ case string:
+ print := val
+ truncated := false
@@ -212,18 +212,19 @@ func printTable(table *metav1.Table, output io.Writer, options PrintOptions) err
case string:
print := val
truncated := false
- // truncate at newlines
- newline := strings.Index(print, "\n")
- if newline >= 0 {
+ // Truncate at the first newline, carriage return or formfeed
+ // (treated as a newline by tabwriter).
+ breakchar := strings.IndexAny(print, "\f\n\r")
+ if breakchar >= 0 {
+ truncated = true
truncated = true
- print = print[:newline]
+ print = print[:breakchar]
+ }
}
- fmt.Fprint(output, print)
+ WriteEscaped(output, print)
+ if truncated {
+ fmt.Fprint(output, "...")
+ }
+ default:
if truncated {
fmt.Fprint(output, "...")
}
default:
- fmt.Fprint(output, val)
+ WriteEscaped(output, fmt.Sprint(val))
+ }
}
}
}
fmt.Fprintln(output)
diff --git a/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go b/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go
index b2caaa12..edbff3ff 100644
--- a/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go
+++ b/staging/src/k8s.io/cli-runtime/pkg/printers/tableprinter_test.go
@@ -769,6 +769,18 @@ test1 20h This is first line which is long and goes for on and on and on an
},
expected: `NAME AGE DESCRIPTION
test1 20h This is first...
+`,
+ },
+ // terminal special character, should be escaped
+ {
+ columns: []metav1.TableColumnDefinition{
+ {Name: "Name", Type: "string"},
+ },
+ rows: []metav1.TableRow{
+ {Cells: []interface{}{"test1\x1b"}},
+ },
+ expected: `NAME
+test1^[
`,
},
}
diff --git a/staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go b/staging/src/k8s.io/cli-runtime/pkg/printers/terminal.go
new file mode 100644
index 00000000..5a59491e
@ -134,18 +156,18 @@ index e4fb17a8..de403142 100644
},
}
diff --git a/staging/src/k8s.io/kubectl/pkg/describe/describe.go b/staging/src/k8s.io/kubectl/pkg/describe/describe.go
index ba59c191..35253c87 100644
index 2a8bf9cc..ef8070f1 100644
--- a/staging/src/k8s.io/kubectl/pkg/describe/describe.go
+++ b/staging/src/k8s.io/kubectl/pkg/describe/describe.go
@@ -62,6 +62,7 @@ import (
@@ -65,6 +65,7 @@ import (
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/cli-runtime/pkg/genericclioptions"
+ "k8s.io/cli-runtime/pkg/printers"
runtimeresource "k8s.io/cli-runtime/pkg/resource"
"k8s.io/client-go/dynamic"
clientset "k8s.io/client-go/kubernetes"
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
@@ -143,11 +144,13 @@ func (pw *prefixWriter) Write(level int, format string, a ...interface{}) {
@@ -148,11 +149,13 @@ func (pw *prefixWriter) Write(level int, format string, a ...interface{}) {
for i := 0; i < level; i++ {
prefix += levelSpace
}
@ -162,10 +184,10 @@ index ba59c191..35253c87 100644
func (pw *prefixWriter) Flush() {
diff --git a/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go b/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
index 3ef9afdc..b3f31579 100644
index 7314feb2..5d8f1a0b 100644
--- a/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
+++ b/staging/src/k8s.io/kubectl/pkg/describe/describe_test.go
@@ -4459,3 +4459,22 @@ func TestControllerRef(t *testing.T) {
@@ -5322,3 +5322,22 @@ func TestControllerRef(t *testing.T) {
t.Errorf("unexpected out: %s", out)
}
}

168
0005-fix-CVE-2021-25741.patch
View File

@ -1,168 +0,0 @@
From e604f40bcc61048b69654a4f4daa593f6adf7ade Mon Sep 17 00:00:00 2001
From: Mauricio Poppe <mauriciopoppe@google.com>
Date: Thu, 5 Aug 2021 22:31:38 +0000
Subject: [PATCH] Pass additional flags to subpath mount to avoid flakes in
certain conditions
(cherry picked from commit 8995693db5824a50249760f6b8e686cc1a500bad)
Signed-off-by: leizhongkai <leizhongkai@huawei.com>
---
pkg/volume/util/subpath/subpath_linux.go | 3 ++-
staging/src/k8s.io/mount-utils/fake_mounter.go | 4 ++++
staging/src/k8s.io/mount-utils/mount.go | 2 ++
staging/src/k8s.io/mount-utils/mount_linux.go | 31 ++++++++++++++++---------
staging/src/k8s.io/mount-utils/mount_windows.go | 6 +++++
5 files changed, 34 insertions(+), 12 deletions(-)
diff --git a/pkg/volume/util/subpath/subpath_linux.go b/pkg/volume/util/subpath/subpath_linux.go
index c04f0a7..0588f3a 100644
--- a/pkg/volume/util/subpath/subpath_linux.go
+++ b/pkg/volume/util/subpath/subpath_linux.go
@@ -209,8 +209,9 @@ func doBindSubPath(mounter mount.Interface, subpath Subpath) (hostPath string, e
// Do the bind mount
options := []string{"bind"}
+ mountFlags := []string{"--no-canonicalize"}
klog.V(5).Infof("bind mounting %q at %q", mountSource, bindPathTarget)
- if err = mounter.MountSensitiveWithoutSystemd(mountSource, bindPathTarget, "" /*fstype*/, options, nil); err != nil {
+ if err = mounter.MountSensitiveWithoutSystemdWithMountFlags(mountSource, bindPathTarget, "" /*fstype*/, options, nil /* sensitiveOptions */, mountFlags); err != nil {
return "", fmt.Errorf("error mounting %s: %s", subpath.Path, err)
}
success = true
diff --git a/staging/src/k8s.io/mount-utils/fake_mounter.go b/staging/src/k8s.io/mount-utils/fake_mounter.go
index 393ed04..55ea5e2 100644
--- a/staging/src/k8s.io/mount-utils/fake_mounter.go
+++ b/staging/src/k8s.io/mount-utils/fake_mounter.go
@@ -136,6 +136,10 @@ func (f *FakeMounter) MountSensitiveWithoutSystemd(source string, target string,
return f.MountSensitive(source, target, fstype, options, nil /* sensitiveOptions */)
}
+func (f *FakeMounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error {
+ return f.MountSensitive(source, target, fstype, options, nil /* sensitiveOptions */)
+}
+
// Unmount records the unmount event and updates the in-memory mount points for FakeMounter
func (f *FakeMounter) Unmount(target string) error {
f.mutex.Lock()
diff --git a/staging/src/k8s.io/mount-utils/mount.go b/staging/src/k8s.io/mount-utils/mount.go
index c78cf13..9e2d5d9 100644
--- a/staging/src/k8s.io/mount-utils/mount.go
+++ b/staging/src/k8s.io/mount-utils/mount.go
@@ -48,6 +48,8 @@ type Interface interface {
MountSensitive(source string, target string, fstype string, options []string, sensitiveOptions []string) error
// MountSensitiveWithoutSystemd is the same as MountSensitive() but this method disable using systemd mount.
MountSensitiveWithoutSystemd(source string, target string, fstype string, options []string, sensitiveOptions []string) error
+ // MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd() with additional mount flags
+ MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error
// Unmount unmounts given target.
Unmount(target string) error
// List returns a list of all mounted filesystems. This can be large.
diff --git a/staging/src/k8s.io/mount-utils/mount_linux.go b/staging/src/k8s.io/mount-utils/mount_linux.go
index 20993cf..e9daa56 100644
--- a/staging/src/k8s.io/mount-utils/mount_linux.go
+++ b/staging/src/k8s.io/mount-utils/mount_linux.go
@@ -83,11 +83,11 @@ func (mounter *Mounter) MountSensitive(source string, target string, fstype stri
mounterPath := ""
bind, bindOpts, bindRemountOpts, bindRemountOptsSensitive := MakeBindOptsSensitive(options, sensitiveOptions)
if bind {
- err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, true)
+ err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, nil /* mountFlags */, true)
if err != nil {
return err
}
- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, true)
+ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, nil /* mountFlags */, true)
}
// The list of filesystems that require containerized mounter on GCI image cluster
fsTypesNeedMounter := map[string]struct{}{
@@ -99,19 +99,24 @@ func (mounter *Mounter) MountSensitive(source string, target string, fstype stri
if _, ok := fsTypesNeedMounter[fstype]; ok {
mounterPath = mounter.mounterPath
}
- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, true)
+ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, nil /* mountFlags */, true)
}
// MountSensitiveWithoutSystemd is the same as MountSensitive() but disable using systemd mount.
func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target string, fstype string, options []string, sensitiveOptions []string) error {
+ return mounter.MountSensitiveWithoutSystemdWithMountFlags(source, target, fstype, options, sensitiveOptions, nil /* mountFlags */)
+}
+
+// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd with additional mount flags.
+func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error {
mounterPath := ""
bind, bindOpts, bindRemountOpts, bindRemountOptsSensitive := MakeBindOptsSensitive(options, sensitiveOptions)
if bind {
- err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, false)
+ err := mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindOpts, bindRemountOptsSensitive, mountFlags, false)
if err != nil {
return err
}
- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, false)
+ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, bindRemountOpts, bindRemountOptsSensitive, mountFlags, false)
}
// The list of filesystems that require containerized mounter on GCI image cluster
fsTypesNeedMounter := map[string]struct{}{
@@ -123,14 +128,14 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin
if _, ok := fsTypesNeedMounter[fstype]; ok {
mounterPath = mounter.mounterPath
}
- return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, false)
+ return mounter.doMount(mounterPath, defaultMountCommand, source, target, fstype, options, sensitiveOptions, mountFlags, false)
}
// doMount runs the mount command. mounterPath is the path to mounter binary if containerized mounter is used.
// sensitiveOptions is an extension of options except they will not be logged (because they may contain sensitive material)
// systemdMountRequired is an extension of option to decide whether uses systemd mount.
-func (mounter *Mounter) doMount(mounterPath string, mountCmd string, source string, target string, fstype string, options []string, sensitiveOptions []string, systemdMountRequired bool) error {
- mountArgs, mountArgsLogStr := MakeMountArgsSensitive(source, target, fstype, options, sensitiveOptions)
+func (mounter *Mounter) doMount(mounterPath string, mountCmd string, source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string, systemdMountRequired bool) error {
+ mountArgs, mountArgsLogStr := MakeMountArgsSensitive(source, target, fstype, options, sensitiveOptions, mountFlags)
if len(mounterPath) > 0 {
mountArgs = append([]string{mountCmd}, mountArgs...)
mountArgsLogStr = mountCmd + " " + mountArgsLogStr
@@ -206,17 +211,21 @@ func detectSystemd() bool {
// MakeMountArgs makes the arguments to the mount(8) command.
// options MUST not contain sensitive material (like passwords).
func MakeMountArgs(source, target, fstype string, options []string) (mountArgs []string) {
- mountArgs, _ = MakeMountArgsSensitive(source, target, fstype, options, nil /* sensitiveOptions */)
+ mountArgs, _ = MakeMountArgsSensitive(source, target, fstype, options, nil /* sensitiveOptions */, nil /* mountFlags */)
return mountArgs
}
// MakeMountArgsSensitive makes the arguments to the mount(8) command.
// sensitiveOptions is an extension of options except they will not be logged (because they may contain sensitive material)
-func MakeMountArgsSensitive(source, target, fstype string, options []string, sensitiveOptions []string) (mountArgs []string, mountArgsLogStr string) {
+func MakeMountArgsSensitive(source, target, fstype string, options []string, sensitiveOptions []string, mountFlags []string) (mountArgs []string, mountArgsLogStr string) {
// Build mount command as follows:
- // mount [-t $fstype] [-o $options] [$source] $target
+ // mount [--$mountFlags] [-t $fstype] [-o $options] [$source] $target
mountArgs = []string{}
mountArgsLogStr = ""
+
+ mountArgs = append(mountArgs, mountFlags...)
+ mountArgsLogStr += strings.Join(mountFlags, " ")
+
if len(fstype) > 0 {
mountArgs = append(mountArgs, "-t", fstype)
mountArgsLogStr += strings.Join(mountArgs, " ")
diff --git a/staging/src/k8s.io/mount-utils/mount_windows.go b/staging/src/k8s.io/mount-utils/mount_windows.go
index 358bcf5..92b42ca 100644
--- a/staging/src/k8s.io/mount-utils/mount_windows.go
+++ b/staging/src/k8s.io/mount-utils/mount_windows.go
@@ -64,6 +64,12 @@ func (mounter *Mounter) MountSensitiveWithoutSystemd(source string, target strin
return mounter.MountSensitive(source, target, fstype, options, sensitiveOptions /* sensitiveOptions */)
}
+// MountSensitiveWithoutSystemdWithMountFlags is the same as MountSensitiveWithoutSystemd with additional mount flags
+// Windows not supported systemd mount, this function degrades to MountSensitive().
+func (mounter *Mounter) MountSensitiveWithoutSystemdWithMountFlags(source string, target string, fstype string, options []string, sensitiveOptions []string, mountFlags []string) error {
+ return mounter.MountSensitive(source, target, fstype, options, sensitiveOptions /* sensitiveOptions */)
+}
+
// MountSensitive is the same as Mount() but this method allows
// sensitiveOptions to be passed in a separate parameter from the normal
// mount options and ensures the sensitiveOptions are never logged. This
--
1.8.3.1

63
0006-kubelet-support-attach-websocket-protocol.patch
View File

@ -1,63 +0,0 @@
From 460bb849ad71236890c2c3fa7757a0cdbfda2c2b Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Sat, 19 Mar 2022 16:23:01 +0800
Subject: [PATCH] kubelet support attach websocket protocol
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
pkg/kubelet/server/server.go | 22 ++++++++++++++++++----
1 file changed, 18 insertions(+), 4 deletions(-)
diff --git a/pkg/kubelet/server/server.go b/pkg/kubelet/server/server.go
index 1d19fed6..0cf69b5f 100644
--- a/pkg/kubelet/server/server.go
+++ b/pkg/kubelet/server/server.go
@@ -757,27 +757,41 @@ func proxyStream(w http.ResponseWriter, r *http.Request, url *url.URL) {
// getAttach handles requests to attach to a container.
func (s *Server) getAttach(request *restful.Request, response *restful.Response) {
- params := getExecRequestParams(request)
streamOpts, err := remotecommandserver.NewOptions(request.Request)
if err != nil {
utilruntime.HandleError(err)
response.WriteError(http.StatusBadRequest, err)
return
}
+
+ url, err := s.getAttachUrl(request, response, streamOpts)
+ if err != nil {
+ klog.Errorf("failed to get backend url %v", err)
+ return
+ }
+ if url.Scheme == "ws" || url.Scheme == "wss" {
+ remotecommandserver.ProxyToWebSocket(response.ResponseWriter, request.Request, url, streamOpts)
+ } else {
+ proxyStream(response.ResponseWriter, request.Request, url)
+ }
+}
+
+func (s *Server) getAttachUrl(request *restful.Request, response *restful.Response, streamOpts *remotecommandserver.Options) (*url.URL, error) {
+ params := getExecRequestParams(request)
pod, ok := s.host.GetPodByName(params.podNamespace, params.podName)
if !ok {
response.WriteError(http.StatusNotFound, fmt.Errorf("pod does not exist"))
- return
+ return nil, fmt.Errorf("pod not found")
}
podFullName := kubecontainer.GetPodFullName(pod)
url, err := s.host.GetAttach(podFullName, params.podUID, params.containerName, *streamOpts)
if err != nil {
streaming.WriteError(err, response.ResponseWriter)
- return
+ return nil, err
}
- proxyStream(response.ResponseWriter, request.Request, url)
+ return url, nil
}
// getExec handles requests to run a command inside a container.
--
2.25.1

46
0008-kubelet-fix-websocket-reference-nil-pointer.patch
View File

@ -1,46 +0,0 @@
From 760129610e5b54d548247490899a8595cea2d5b8 Mon Sep 17 00:00:00 2001
From: zhangxiaoyu <zhangxiaoyu58@huawei.com>
Date: Mon, 31 Oct 2022 17:15:51 +0800
Subject: [PATCH] kubelet fix websocket reference nul pointer
Signed-off-by: zhangxiaoyu <zhangxiaoyu58@huawei.com>
---
.../cri/streaming/remotecommand/proxy.go | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/pkg/kubelet/cri/streaming/remotecommand/proxy.go b/pkg/kubelet/cri/streaming/remotecommand/proxy.go
index 76222d90..f21629af 100644
--- a/pkg/kubelet/cri/streaming/remotecommand/proxy.go
+++ b/pkg/kubelet/cri/streaming/remotecommand/proxy.go
@@ -169,14 +169,23 @@ func connectBackend(addr, subprotocol string, r *http.Request) (*websocket.Conn,
websocket.DefaultDialer.ReadBufferSize = 128 * 1024
websocket.DefaultDialer.WriteBufferSize = 128 * 1024
ws, resp, err := websocket.DefaultDialer.Dial(addr, h)
- if err != nil {
+ if err == nil {
+ return ws, nil
+ }
+ msg := fmt.Errorf("dial failed: %v, response Body is nil", err)
+ if resp != nil && resp.Body != nil {
+ defer func() {
+ //websocket buffer size maybe not enough and cause panic
+ if e := recover(); e != nil {
+ msg = fmt.Errorf("dial failed: %v, response panic %v", err, e)
+ }
+ resp.Body.Close()
+ }()
var body bytes.Buffer
body.ReadFrom(resp.Body)
- defer resp.Body.Close()
- msg := fmt.Errorf("dial failed: %v, response is: %v", err, body.String())
- return nil, msg
+ msg = fmt.Errorf("dial failed: %v, response is: %v", err, body.String())
}
- return ws, nil
+ return nil, msg
}
type rwc struct {
--
2.25.1

38
0011-Remove-Endpoints-write-access-from-aggregated-edit-r.patch
View File

@ -1,38 +0,0 @@
From 416efdab26afe06cf2b57991dfac511769bf508b Mon Sep 17 00:00:00 2001
From: Rob Scott <robertjscott@google.com>
Date: Tue, 13 Jul 2021 22:17:12 -0700
Subject: [PATCH] Remove Endpoints write access from aggregated edit role
---
plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go | 2 +-
.../authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml | 1 -
2 files changed, 1 insertion(+), 2 deletions(-)
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
index 352543a2..903c6723 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/policy.go
@@ -286,7 +286,7 @@ func ClusterRoles() []rbacv1.ClusterRole {
rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("pods", "pods/attach", "pods/proxy", "pods/exec", "pods/portforward").RuleOrDie(),
rbacv1helpers.NewRule(Write...).Groups(legacyGroup).Resources("replicationcontrollers", "replicationcontrollers/scale", "serviceaccounts",
- "services", "services/proxy", "endpoints", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(),
+ "services", "services/proxy", "persistentvolumeclaims", "configmaps", "secrets").RuleOrDie(),
rbacv1helpers.NewRule(Write...).Groups(appsGroup).Resources(
"statefulsets", "statefulsets/scale",
diff --git a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
index 2f571c76..e869c122 100644
--- a/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
+++ b/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/testdata/cluster-roles.yaml
@@ -128,7 +128,6 @@ items:
- ""
resources:
- configmaps
- - endpoints
- persistentvolumeclaims
- replicationcontrollers
- replicationcontrollers/scale
--
2.25.1

36
kubernetes.spec
View File

@ -2,12 +2,12 @@
%global _buildshell /bin/bash
Name: kubernetes
Version: 1.20.2
Release: 16
Version: 1.24.0
Release: 1
Summary: Container cluster management
License: ASL 2.0
URL: https://k8s.io/kubernetes
Source0: https://github.com/kubernetes/kubernetes/archive/v1.20.2.tar.gz
Source0: https://github.com/kubernetes/kubernetes/archive/v1.24.0.tar.gz
Source1: kube-proxy.service
Source2: kube-apiserver.service
Source3: kube-scheduler.service
@ -24,17 +24,11 @@ Source13: kubernetes-accounting.conf
Source14: kubeadm.conf
Source15: kubernetes.conf
Patch6000: 0001-kubelet-support-exec-websocket-protocol.patch
Patch6001: 0002-fix-compile-options.patch
Patch6002: 0003-fix-CVE-2021-25735.patch
Patch6003: 0004-fix-CVE-2021-25737.patch
Patch6004: 0005-fix-CVE-2021-25741.patch
Patch6005: 0006-kubelet-support-attach-websocket-protocol.patch
Patch6006: 0007-Add-an-option-for-aggregator.patch
Patch6007: 0008-kubelet-fix-websocket-reference-nil-pointer.patch
Patch6008: 0009-timeout-wait-backend-to-frontend-complete.patch
Patch6009: 0010-Escape-terminal-special-characters-in-kubectl-112553.patch
Patch6010: 0011-Remove-Endpoints-write-access-from-aggregated-edit-r.patch
Patch0001: 0001-fix-compile-options.patch
Patch0002: 0002-kubelet-support-exec-and-attach-websocket-protocol.patch
Patch0003: 0003-timeout-wait-backend-to-frontend-complete.patch
Patch0004: 0004-Add-an-option-for-aggregator.patch
Patch0005: 0005-Escape-terminal-special-characters-in-kubectl-112553.patch
%description
Container cluster management.
@ -95,7 +89,7 @@ Summary: Help documents for kubernetes
Help documents for kubernetes.
%prep
%autosetup -n kubernetes-1.20.2 -p1
%autosetup -n kubernetes-%{version} -p1
mkdir -p src/k8s.io/kubernetes
mv $(ls | grep -v "^src$") src/k8s.io/kubernetes/.
@ -266,6 +260,12 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
%systemd_postun kubelet kube-proxy
%changelog
* Tue Jan 03 2023 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.24.0-1
- Type:update
- CVE:NA
- SUG:NA
- DESC:update to 1.24.0
* Thu Dec 08 2022 zhangxiaoyu <zhangxiaoyu58@huawei.com> - 1.20.2-16
- Type:bugfix
- CVE:NA
@ -314,13 +314,13 @@ getent passwd kube >/dev/null || useradd -r -g kube -d / -s /sbin/nologin \
* Mon Mar 22 2021 wangfengtu <wangfengtu@huawei.com> - 1.20.2-4
- Fix compile options
* The Feb 09 2021 lixiang <lixiang172@huawei.com> - 1.20.2-3
* Tue Feb 09 2021 lixiang <lixiang172@huawei.com> - 1.20.2-3
- Remove go-md2man build require since it's no longer provided
* Thu Feb 2 2021 gaohuatao <gaohuatao@huawei.com> - 1.20.2-2
* Tue Feb 2 2021 gaohuatao <gaohuatao@huawei.com> - 1.20.2-2
- Add kubelet support ws
* Fri Jan 20 2021 lixiang <lixiang172@huawei.com> - 1.20.2-1
* Wed Jan 20 2021 lixiang <lixiang172@huawei.com> - 1.20.2-1
- Bump version to v1.20.2
* Fri Sep 18 2020 xiadanni <xiadanni1@huawei.com> - 1.18.6-3

BIN
v1.20.2.tar.gz → v1.24.0.tar.gz
View File

Binary file not shown.